[OWASP-TESTING] Comment on testing guide and contrib for part 2
orac at uncon.org
Wed Aug 4 07:59:45 EDT 2004
I agree OWASP is definitely leading the charge on web application
security and that has proved to be a good thing.
There's always a but.... but, a lot of the leading stuff that OWASP
provides is going to take years to filter down through the 3rd party
software vendors to the end user organisations (Especially if they
don't do much development in-house). We are doing our bit by making
sure that our suppliers are aware of the OWASP guide and by publishing
our own standard requirements to them (including informally training
their developers in way too many cases) but for many vendors and many
applications (especially line-of-business applications behind the
perimeter) there is a perception that security isn't an important part
of the sale which will change but will take longer.
We're not in the financial sector which I know from previous experience
is a lot further along in their externally-facing applications but
generally not much better on their internal applications.
The OWASP guide is useful to me in my role as a vendor independent
standard with which I can explain to the business why they need these
arcane things like input validation and the rest.
I suggest it would be useful to provide a certain level of guidance
over the level and types of testing of 3rd party apps from the end user
point of view. That becomes a strong supporting case for convincing the
business that these things should be done.
It's kind of like pushing at both ends of the system development scale,
currently OWASP does a good and important job of pushing developer
understanding and SDLC best practice whereas we are pushing vendors for
secure code to be delivered to us post SDLC. Hopefully we meet in the
middle at some point.
A teleconference sounds good, I am on UK time so no 2am calls please :)
On 4 Aug 2004, at 12:29, Mark Curphey wrote:
> I hear what you are saying but running a web app scanner on a web app
> is like testing a cars safety by front impact testing only. What
> happens to side impacts? Rear impacts ? What happens to roll safety?
> Is it flame proof? Do the seats give off cyanide when set alight? Do
> the seat belts work? I am not saying they dont have place; you
> articulate some reasons why they may be appropriate but they are very
> very limited and very very innacurate.
> We have to be careful to set the pace and say what SHOULD be done
> rather than WHAT is done today. OWASP has the ability to lead the
> market into doing the right thing. Thats part of the beauty of it and
> part of our duty in my opinion.
> As I can't type as fast as my stomach wants me to move to the
> breakfast room, how about a teleconference next week to debate this
> whole issue ?BTW
> I have an ASP.NET C# parser I wrote that is shaping up. The major code
> review players (Fortify, Ounce and Coverity) are all working on Java
> and ASP.NET modules for their platforms.
More information about the Owasp-testing